Someone on ActiveDir Org (and actually the umich LDAP list) were asking about putting multivalued manager info into AD for dotted line reports. Active Directory’s manager attribute is single valued so this won’t work. You get one manager, have a nice day. 🙂
Well this someone wants MSFT to add this to their schema, it may happen, it may not happen. Not sure how likely it is to happen as this is the first time I have seen a request like that since 1999 so I am thinking MSFT isn’t being flooded by requests for this. Regardless, if they do, they will have to add new attributes because they won’t be able to modify manager to do this so might as well just add your own attributes.
While responding to the post I decided to help out and designed the required schema extensions and then donated part of my OID space and my joeware prefix for the two needed attributes and an auxiliary class that the attributes are assigned to. Then you can attach that aux class to some other structural classes statically (there is an example of attaching it to the Person class in the LDF file) or you can use the aux class dynamically and only use it on specific objects that need it.
So I decided to post the information and LDIF file here in case anyone else finds it useful. If you do find it useful and have thought, why didn’t MSFT do this, please comment. The MSFT DS PG folks swing by and read these entries occasionally and also if I get enough feedback I can always raise it with them as well.
Here is what the use of the attributes will look like if you go to enumerate the information on the user objects:
G:\new1\Dev\SCHEMA\DottedLine>adfind -h . -default -f objectcategory=person joeware-dottedmanagers joeware-dottedreports
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: sfmxp32.test.loc:389
Directory: Active Directory Application Mode
Base DN: CN=addressbookdn:CN=someuser,CN=addressbook
>joeware-DottedReports: CN=testorgperson,CN=addressbook
>joeware-DottedManagers: CN=someuser3,CN=addressbook
>joeware-DottedManagers: CN=someuser2,CN=addressbookdn:CN=someuser2,CN=addressbook
>joeware-DottedReports: CN=someuser,CN=addressbookdn:CN=someuser3,CN=addressbook
>joeware-DottedReports: CN=someuser,CN=addressbookdn:CN=testuser,CN=addressbook
>joeware-DottedReports: CN=testorgperson,CN=addressbookdn:CN=testorgperson,CN=addressbook
>joeware-DottedReports: CN=testorgperson,CN=addressbook
>joeware-DottedManagers: CN=testorgperson,CN=addressbook
>joeware-DottedManagers: CN=testuser,CN=addressbook
>joeware-DottedManagers: CN=someuser,CN=addressbook5 Objects returned
Here is the actual LDIF file to import (watch for line wrap). I have tried it with ADAM and Active Directory using the ADAM SP1 LDIFDE tool. It works great in both cases.
#==================================================================
#
# This file contains extensions for dotted line managers.
# It should be imported with the following command:
# ldifde -i -f joeware-DottedLine.ldf -s server:port -b username domain password -k -j . -c “CN=Schema,CN=Configuration,DC=X” #schemaNamingContext
#
#==================================================================# Attributes
dn: CN=joeware-DottedManagers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.5000
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
adminDisplayName: joeware-DottedManagers
adminDescription: joeware-DottedManagers
oMSyntax: 127
lDAPDisplayName: joeware-DottedManagers
systemOnly: FALSE
isMemberOfPartialAttributeSet: TRUE
linkid: 1.2.840.113556.1.2.50dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–dn: CN=joeware-DottedReports,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.5001
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
adminDisplayName: joeware-DottedReports
adminDescription: joeware-DottedReports
oMSyntax: 127
lDAPDisplayName: joeware-DottedReports
systemOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
linkid: joeware-DottedManagersdn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–# Classes
dn: CN=joeware-DottedLine,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: classSchema
subClassOf: top
governsID: 1.2.840.113556.1.8000.1420.1.1.5000
systemMayContain: joeware-DottedManagers
systemMayContain: joeware-DottedReports
adminDisplayName: joeware-DottedLine
adminDescription: joeware-DottedLine
objectClassCategory: 3
lDAPDisplayName: joeware-DottedLine
systemOnly: FALSEdn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–#
# Update person class with static aux class
# Remove REM chars (#) to complete
##dn: CN=Person,CN=Schema,CN=Configuration,DC=X
#changetype: ntdsschemamodify
#add: auxiliaryClass
#auxiliaryClass: joeware-DottedLine
#-#dn:
#changetype: modify
#add: schemaUpdateNow
#schemaUpdateNow: 1
#-
I work for a very large bank and I would love for the managedby to be multi-valued. I have not directly asked for this, because… well its M$FT and they are smarter than everybody else and dont really listen when you make product suggestions. On the other hand Quest listens very intently and actually will tell you yes, no, that doesnt make sense for our product, etc.
Tim: Do you want a multivalued managedBy or do you want the backend functionality of who has permissions to manage the object be multivalued. These are different things, the managedBy attribute actually doesn’t do anything except specify a person or group. The group being what people usually use if they need multiple people listed there. As for setting who can actually do something with the object, that is a backend thing on the permissions handled by the GUI when you set the attribute. I can just as easily define and publish a joeware-ManagedBy and joeware-ManagedObjects if it will be useful for folks.
I’m not sure what all the hubbub is about as i assumed that simply extending the schema with one’s own attribute would do the trick. I didn’t realize until I saw this article that you can even create your own attribute ID using MSFT’s own OID. One question: I recently applied for my own Private Enterprise Number. Is there any guidance on using it in these situations or is it preferred to go the way of this article ?
Sean: Yep, could easily create your own attribs. I did it because there seemed to be some concern over the design, etc. This is actually a pretty simple design. Not a lot of variables.
You can’t just create your own OID from Microsoft’s space, well other than using their vbscript tool which is statistically likely to produce something unique. I know mine is unique because MSFT used to assign space under their OID and they assigned the 1.2.840.113556.1.8000.1420 branch to me so no one else anywhere in the world should be using it.
I also have a PEM if I want to use that as well. The guidance would be to think out how you want to use the address space. Something like what I did where you have
1.2.840.113556.1.8000.1420.1 – AD/ADAM Extensions
1.2.840.113556.1.8000.1420.1.1 – Classes
1.2.840.113556.1.8000.1420.1.1.5xxx – Classes not used for my joeware tools
1.2.840.113556.1.8000.1420.1.2 – Attributes
1.2.840.113556.1.8000.1420.1.2.5xxx – Attributes not used for my joeware tools